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PCT/EP20Q4/nsi9l7 

Re Item V. 

1 The following documents are referred to in this communication: 

D1 : US 6 571 289 B1 (MONTENEGRO GABRIEL E) 27 May 2003 ^2003 05 P7^ 
D2 : US 6 253 327 B1 (LOU SHUXIAN ET AL) 26 June 2001^lool™^^^ 

2 The present application does not meet the criteria of Article 33(1) POT because the 

- —e ste^ I the^ienToT 

2.1 INDEPENDENT CLAIM 1 

In the words of claim 1 , D1 discloses (references taken from 01 ): 

"An appamtus arranged for receiving a Singte^ign^ service request in a 
te^ecommun,cat.on sen,ice network from a user via an access neLrk (^Ln 1 line 
63) unable to provide data origin authentication (c1l64; 03131-33) the us^r hT^a 

rTJr'f^tT' ""^"^ as a «sult Of being authenticated by a Z ne^^I' 
(C3I41 -43), the apparatus comprising: neiworK 

- means for receiving the access credentials from the user through the access 
network (c3l1 5-1 6; c3l20; c3l35; c3l41 -43; c3l50-54)- 

^means for checking validity of the access credentials received from the user (c3I64- 

- means for establishing a valid session with the user upon successful validity check 
of the access credentials (c3l66-c4l3)- vdiiaiiy cnecK 

foX" us':: s^rsrar '^'^ ^ ^ ^<^^ 

characterised in that it Includes: 

- means for establishing a secure tunnel with the user when receiving the access 

assigned to the user by the access network for addressing the user (c4l25-27- c4l33- 
36). and by using the internal IP address assigned to identify the use^h^^fhe se^ice 



PCT/Separate Slieet/409 (Sheet 1) (EPO>lanuaty 2004) 



INTERNATIONAL PRELIMINARY 
REPORT ON PATENTABILITY 
(SEPARATE SHEE 



International application No. 
PCT/EP20Q4/QS1P17 



2.2 



2.3 



network as an inner IP address in the tunnelled traffic." 



to hllif H K r "^^^ ^'"P'^y" ^ single-sign-on mechanism. The problem 
to be solved by the present Invention may therefore be regarded as "How to aHowT 
user to access multiple services, without having to successfully compr^iach o7 
their respective authentication procedures first?" complete each of 

mLf nnKrT P--^^^^^ Which grants a subscriber access to one or 

ririb^ t rT P"""*" ^-q"'"ng the 

Sid Ih, '.^o^ ^^""^'^'^ ^^^^ °f them, thereby solving 

said problem (see D2. c4I30-47). owivmg 

n^t^nr^ ^.T""^"*^ ^''^ ^^"'^ (authentication In computer 

networks) the person skilled in the art. faced with the above stated problem and the 
prior art as represented by D1 and D2. would apply the invention of D2tTheCem 
of D1 o amve at the claimed subject-matter. Thus claim 1 does not Involve an 
inventive step and Is therefore obvious. 

INDEPENDENT CLAIMS 14 AND 18 

The same argumentation applies to independent claims 14 and 18 which define a 
user equipment and a method corresponding to the apparatus of cl2 T ^.rrefore 
these claims also lack an inventive step in the sense of Art. 33(3) PCT. ^^'^^""'^ 

CLAIMS 2-13. 15-17 AND 19-23 

Dependent claims 2-13. 15-17 and 19-23 do not contain any features which In 

rhe^^s^e:^^^^^^^ '"h^;'"*" *° thC^lLents 
of the PCT in respect of novelty and/or Inventive step (Article 33(2) and (3) PCT). 
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An apparatus (N-41, n-42) arranged for receiving iiingle 
Sxgn-on service request in a telecommunication service 

(N-20) unable to provide data origin authentication, the 
user (N-10) having received (s-23) access credentials 

(Dxgxtal certificate) as a result of being authenticated 
by a core network (N-30) , the apparatus comprising: 

- means for receiving (s-24) the access credentials from 
the user (N-io) through the access network (N-20) ; 

- means for checking (n-41; s-25, N-31) validity of the 
access credentials received from the user (N-lO) ; 

- means for establishing a valid session with the user 
(N-lO) upon successful validity check of the access 
credentials; 

- means for assigndng an internal IP address to Identify 
the user in the service network (H-40) ; and 

- means for linking („-4l. s-26, N-42) session data, 
access credentials and assigned internal IP address 
for the user (N-lo) ; 

and characterised in that it includes: 

- means for establishing a secure tunnel (3-24) with the 

user (N-10) when receivina t-h« =^ 

^^'^e^vxng the access credentials 

through the access network (n-20) by using an outer IP 
address assigned to the user by the access network for 
addressing the user, and by using the internal IP 
address assigned to identify the user in the service 

network (N-40) as an Inn^i- m 

an inner IP address in the txmnelled 

traffic. 
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. The apparatus of claim i, further comprising means for 
generating service credentials (N-41, S-26, N-42) for 
authorizing the user to access a service in the service 
network (N-4 0) . 

The apparatus of claim 2, wherein the service credentials 
are generated (N-41, s-26, N-42) on a per service basis 
for the user upon service request. 

The apparatus of claim l, further comprising means for 
communicating (S-25) with an Authentication Server (N-31) 
of the home network (N-30) in order to check the validity 
of the access credentials received from the user (N-lO) 
when said access credentials are not signed by a 
recognised authentication entity (N-3i) . 

The apparatus of claim 1, wherein the means for 
establishing the secure tunnel (s-24) with the user (N- 
10) are included in a first device named Secure Service 
Entry Point (N-41), and the means for linking session 
data, access credentials and assigned internal IP address 
for the user (N-io) are included in a second device named 
Single Sign-On server (lsr-42) . 

The apparatus of claim 5, further comprising means for 
communicating (S-26) the Secure Service Entry Point (n- 
41) with the Single Sign On Server (N-42) . 

The apparatus of claim 1, further comprising means for an 
addxtxonal co-ordination (s-25) between the apparatus (N- 
41; N-42) and an Identity Provider (N-si) in charge of 
saxd user in a home network (n-30) when said home network 
xs different than the service network (N-40) which the 
apparatus is the entry point for. 

The apparatus of claim l for use when the user (N-io) is 
accessing a local HTTP service (N-44) , or an external 
service (N-51) in a network (N-50) different than the 
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currently accessed service network (N-40) , the apparatus 
having means for checking (N-41, s-30, N-43, 8-28 N-42) 
whether the user had been previously authenticated or 
not 



9. The apparatus of claim 8, having means (S-30, S-28) for 
communicating with an intermediate entity (N-43) arranged 
to intercept the user's access (S-29) to the HTTP local 
service (n-44) , or to the external service (N-si) in an 
external network (N-50) . 

10. The apparatus of claim 9, wherein the intermediate entity 
(N-43) is an HTTP-proxy. 

11. The apparatus of claim 9, wherein the intermediate entity 
(N-43) is a firewall. 

12. The apparatus of claim l for use when the user (n-10) is 
accessing a non-HTTP local service (n-45) , having means 
for checking (N-41, s-31, N-45, S-32, N-42) whether the 
user had been previously authenticated or not. 

13. The apparatus of claim 1, wherein the means for receiving 
access credentials comprises means for checking whether a 
digital certificate issued by the core network is present 
to indicate a successful authentication of the user. 

14. A user equipment (N-lO; N-li) arranged to carry out an 
authentication procedure with a core network (N-30) and 
arranged to access a telecommunication service network 
(N-40) via an access network (N-20) unable to provide 
data origin authentication, the user equipment (N-iO; N- 
11) comprising: 

- means for obtaining (s-23) access credentials as a 
result of being authenticated by the core network (N- 
30) ; 



AMENDEn RHF.FT 



REPLACEMENT SHEET 
24 

- means for sending (s-24) the access credentials 
towards the service network (N-40) when accessing 
through the access network (N-2 0) 

and characterised in that it includes: 

- means for establishing a secure tunnel {S-24) with the 
service network (N-40) through the access network (N- 
20), the secure tunnel making use of an outer IP 
address assigned to the user by the access network for 
addressing the user; 

- means for receiving (s-24) an internal IP address 
assigned by the service network (N-40) and included as 
an inner IP address within the tunnelled traffic to 
identify the user in the service network; and 

- means for linking • said access credentials with the 
inner IP address and with the secure tunnel. 

The user equipment (N-10; N-li) of claim 14, wherein the 
means for obtaining access credentials includes: 

- means for receiving an authentication challenge from 
the core network; 

- means for generating and returning an authentication 
response to the core network; 

- means for generating a public and private key pair; 
and 

- means for submitting the public key along with a 
digital signature proving the ownership of the private 
key towards the core network. 

The user equipment (N-lO; N-li) of claim 14, wherein the 
means for obtaining access credentials includes: 
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- means for receiving an authentication challenge from 
the core network; 

- means for generating and returning an authentication 
response to the core network; and 

- means for requesting a digital certificate obtainable 
from the core network. 

The user equipment (N-IO; N-ll) of claim 16, wherein the 
means for obtaining access credentials further includes 
means for generating a public key for which the digital 
certxficate is obtainable. 

A method for supporting Single Sign-On services in a 
telecotnmunication service network (N-40) for a user (N- 
10) accessing said service network (N-40) through an 
access network (n-20) unable to provide data origin 
authentication, the user (N-io) having received (S-23) 
access credentials as a result of being authenticated by 
a core network (N-30) , the method comprising the steps 
of : ^ 

- receiving {S-24) at the service network (N-40) the 
access credentials from the user (N-lo) through the 
access network (N-20) ; 

- checking (n-41, s-25, n-31) validity of the access 
credentials received at the service network (N-40) ; 

- establishing (N-41, s-26, n-42) a valid session with 
the user (N-10) upon successful validity check of the 
access credentials; 

- assigning at the service network (N-41, s-26, N-42) an 
internal IP address for the user (n-10) to identify 
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the user when accessing a service in the service 
network; and 

- linking (N-41, s-26, N-42) session data, access 
credentials and the assigned internal IP address for 
the user (N-10) at an entity (N-41; N-42) of the 
service network (N-40) ; 

and characterised by including the steps of: 

- establishing a secure tunnel (S-24) between the user 
equipment side (N-IO) and an entity (N-41) of the 
service network (N-40) through the access network (n- 
20) by using an outer IP address assigned by the 
access network for addressing the user, and by using 
as an inner IP address in the tunnelled traffic the 
internal IP address assigned to identify the user in 
*^he service network (N-40) ; and 

- linking said access credentials with said inner IP 
address and with said secure tunnel at the user 
equipment side (N-10) . 

19. The method of claim la fiir-t-v,^-.- « • ^ 

^xaj.m xo, rurther comprising a step of 

generating service credentials (N-41, s-26, N-42) for 
authorizing the user to access a service in the service 
network (N-4 0) . 

20. The method of claim 19, wherein the step of generating 
service credentials includes a step of generating service 

25 credentials on a per service basis for the user upon 

service request. 

21. The method of claim 18, wherein the step of checking (n- 
41; N-41, S-25, N-31) the validity of access credentials 
received from the user (N-lo) at the service network (N- 

30 40) further includes a step of communicating (S-25) with 

an Authentication Server (N-31) of the home network (N- 
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30), when said access credentials are not signed by a 
recognised authentication entity. 

22. The method of claim 18, wherein the step of linking 
session data, access credentials and assigned internal IP 
address for the user (N-10) further includes a step of 
communicating (s-26) a first device named Secure Service 
Entry Point (N-41) , in charge of the secure tunnel (s- 
24) , with a second device named single Sign On Server (N- 
42) where the step of linking takes places. 
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The method of claim 18, for use when the user (N-io) is 
accessing a local service (N-44; N-45) , or an external 
service (N-51) in a network (N-50) different than the 
currently accessed service network (N-40) , the method 
further comprising a step of checking (s-28, N-42; S-32 
N-42) whether the user had been previously authenticated 
or not. 
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